CVE-2022-41933

Name of the Vulnerable Software and Affected Versions XWiki Platform versions 13.1RC1 through 14.6RC1 XWiki Platform versions 13.1RC1 through 14.4.3 XWiki Platform versions 13.1RC1 through 13.10.8

Description The XWiki Platform has a vulnerability where the password is stored in plain text in the database when the "reset a forgotten password" feature is used. This issue concerns XWiki 13.1RC1 and newer versions, specifically the reset password feature available from the "Forgot your password" link in the login view. The features allowing a user to change their password or for an admin to change a user password are not impacted. This vulnerability is particularly dangerous in combination with other vulnerabilities allowing data leaks of personal data from users. The problem has been patched in versions 14.6RC1, 14.4.3, and 13.10.8.

Recommendations For XWiki Platform versions 13.1RC1 through 14.6RC1, update to version 14.6RC1 or later. For XWiki Platform versions 13.1RC1 through 14.4.3, update to version 14.4.3 or later. For XWiki Platform versions 13.1RC1 through 13.10.8, update to version 13.10.8 or later. As a temporary workaround, consider manually resetting the passwords of impacted users or rolling back to a previous version of the user document. Administrators can also set properties for the migration to decide if the user password should be reset or kept but only hashed.